What you need to know
- Cybersecurity breaches seem to only be more commonplace with the recent high-profile MGM, Ardent Hospital, Xfinity, and Insomniac breaches.
- Cybercriminals have an incentive to keep attacking these companies, companies need more incentive to improve protection rather than plan for recovery of a breach.
- New SEC rules went into effect on Dec. 15th forcing any public company to disclose a cyber incident within four days.
- Other government regulations are also forcing companies to meet a base standard for cybersecurity compliance in the hopes of protecting our country and allies.
It seems a week can't go by without hearing about a high-profile massive cybersecurity breach. The talk of the town in the gaming world right now is the recent ransomware breach of Insomniac by the Rhysida ransomware group. However, some bigger breaches that have taken place in the last 30 days would be the Ardent Hospital breach that impacted 30 hospitals in 4 states. Xfinity confirmed a breach in the last week disclosing that 36 million customers' information was impacted/stolen.
Something needs to change, and recently even Satya Nadella, CEO of Microsoft, called for more cybersecurity regulation. Let's take a look at some of the recent changes to cybersecurity regulation in the U.S. and if they can help protect companies from cyber attacks.
Why is the U.S. government imposing more regulations for cybersecurity?
Also previously discussed, there have been so many immense cybersecurity breaches recently that it is hard to name them all. There has also been a lot of talk about supposed reporters or journalistic outlets not wishing to discuss leaks that came from a data breach, specifically in the case of Insomniac's leaked upcoming games. Some of the arguments made by these outlets were that we should think of the human element, as a cybersecurity professional, this bothers me because they are not thinking of the human element in the cybersecurity department.
Most people who have worked at a large company know that the most underfunded departments are usually the Information Technology and Cybersecurity departments. Unfortunately, companies don't seem to want to invest in proper cybersecurity until after they have a breach.
Cybersecurity Ventures has a lot of great stats and research into the global cybersecurity landscape. The team over at Cybersecurity Ventures released a video discussing the estimated cybercrime damage cost in 2023.
Since most companies have decided, correctly so, to not pay ransoms the only remaining effects they might feel from having lax cybersecurity would be one of financial loss due to their plans being leaked. I don't believe that cybercriminals should be allowed to attack these companies and get away with it, but I also think that companies should have more fear of having their data breached, and based on that fear, invest in hiring and funding more cybersecurity personnel to protect their company. If companies can be negligent in protecting their data, suffer a data breach, and then have relatively little negative impact on the company's bottom line then these companies will continue to underfund their cybersecurity departments.
Hopefully, some of these regulations will prevent that from happening though. By forcing public companies to disclose cybersecurity incidents within four days and imposing mandatory cybersecurity minimums for nearly every sector of the economy, there should be less chance that a company was breached due to negligence, which is the best-case scenario for both companies and the cybersecurity professional industry.
Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”
SEC Chair Gary Gensler
What regulations have the U.S. Government implemented to improve cybersecurity?
On July 26th, 2023 The SEC released a press release that new rules would take effect that would force all publicly traded companies to disclose cybersecurity incidents within four days of the company noticing the incident. On December 15th, 2023, these new rules went into effect, but to little fanfare.
On July 26th, 2023, The SEC released a ts where the public hears about a data breach from a ransomware group but instead hears about it from the company itself. Companies have a large incentive to ignore the issue and not report on it as it can negatively affect, stock prices. However, with this new regulation in place, companies will have to bolster their incident response teams so that they can effectively react to cybersecurity incidents, remediate them, perform discovery to find what data was affected, and get all of that written up in a new Item 1.05 of Form 8-K within just four days of incident discovery.
The new rules will require registrants to disclose on the new Item 1.05 of Form 8-K any cybersecurity incident they determine to be material and to describe the material aspects of the incident's nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant. An Item 1.05 Form 8-K will generally be due four business days after a registrant determines that a cybersecurity incident is material. The disclosure may be delayed if the United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the Commission of such determination in writing.
U.S. SEC
This new rule comes after an Executive Order from May of 2021 which greatly increased government oversight of cybersecurity. Several agencies have imposed their own regulations such as the Transportation Security Administration's (TSA) new requirements, the Department of Homeland Security (DHS) Acquisition Regulation, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), and the Environmental Protection Agency Cybersecurity for the Water Sector.
The Cybersecurity and Infrastructure Security Agency has noted 16 critical infrastructure sectors that need to follow the Presidential Policy Directive 21 (PPD-21): Critical Infrastructure Security and Resilience which "advances a national policy to strengthen and maintain secure, functioning, and resilient critical infrastructure."
To improve reporting and compliance, the government has implemented whistleblower protections.
"If you work in any of these Critical Infrastructure Sectors and you feel you’ve been retaliated against for raising concerns to your employer or regulators about critical infrastructure, you may contact the U.S. Department of Labor Occupational Safety and Health Administration (OSHA). OSHA’s Whistleblower Protection Program enforces over 20 anti-retaliation statutes that may protect your report."
CISA.gov
These whistleblower protections are also becoming more relevant for non-critical sectors. Per JDSupra.com "In October 2022, Penn State was sued by a former chief information officer (CIO) for allegedly failing to safeguard CUI as contractually required and knowingly submitting false security compliance reports."
This is the kind of activity that must stop. Companies will underfund their cybersecurity departments, forcing burn-out and impossible expectations on the few cybersecurity analysts they have employed, and when the company isn't meeting a bare minimum standard, they simply falsify compliance reports and state they are meeting the standards.
Today we announced awards of more than $28 million combined to seven whistleblowers whose information and assistance led to a successful SEC enforcement action.https://t.co/5yUT09r3yXDecember 22, 2023
Why are cybersecurity regulations important and how do they help the cybersecurity profession?
If the concept here is a bit hard to grasp, think of it like an NFL football team.
- The NFL team's owner is the C-suite in a company.
- The head coach is the Chief Information Security Officer, and his staff are the other cybersecurity members in the department.
- Sometimes a head coach has all of the funding, talent, and facilities that the ownership can provide and they still lose the game.
- But usually, the head coach is battling with ownership about which draft picks to choose, which talent to trade, and isn't getting the support they need.
- In this case, if the head coach has a losing season, they are usually held responsible and fired along with most of their coaching staff.
The same is true in Cybersecurity. Most people in the industry know that if a breach happens to a company, it is usually the CISO and upper cybersecurity management that will be forced to fall on their swords, however, the C-suite is normally impervious to any repercussions.
Hopefully, with improved regulations and oversight companies will determine the risk and cost of underfunding and under supporting the cybersecurity department is higher than building out an efficient, well-maintained cybersecurity department that is agile, properly trained, and prepared to handle the ever-constant attacks from enemies of the U.S. and her allies.
The government has gone so far recently to actually sue negligent individuals and companies that led to a massive breach that allowed malicious actors to access U.S. Government agencies and directly affected national security.
SEC says SolarWinds and its then vice president of security, Tim Brown, defrauded investors and customers “through misstatements, omissions and schemes” that concealed both the company’s “poor cybersecurity practices and its heightened — and increasing — cybersecurity risks.”
Frank Bajak VIA Fortune
This is an unprecedented action by the government and put companies around the country on notice. I'm normally not a fan of government regulation as a rule, but regarding cybersecurity, it seems to be nearly as important as the laws that regulate the need for auto insurance. If there wasn't a law demanding auto insurance, many people would forgo it with the thought that they would simply drive carefully and not get in an accident.
The same seems to be true of high-level executives running these massive corporations, in that they think, they can simply duct tape together a cybersecurity department, leave them without proper resources, and they will be able to dodge cybersecurity attacks, or if they suffer a breach, they will just deal with the fallout and recovery. It is a sad state of the world that the public has become highly desensitized to data breaches. It's at the point now where most people have had their private information, including name, D.O.B, and social security number stolen so many times we all have received free credit monitoring for years (every time your data is stolen, you receive free credit monitoring).
With all of this being the case, I'm glad that the government is taking cybersecurity seriously. Make no mistake, warfare can be waged through the 1s and 0s that power all of our technology, and everything is connected. Companies need to protect themselves, their employees, and customers. Sure, maybe Xfinity losing 63 million customer records in a breach doesn't affect national security directly, but what if one of those Xfinity customers is an NSA analyst and due to the common practice of password reuse, attackers can access the analyst's accounts for other systems? These kinds of hypotheticals aren't out of the realm of possibility especially if nation-state actors get involved.
Looking to get into cybersecurity? Check out our how to get started in cybersecurity guide.
What do you think about the government working to increase regulations on companies to improve overall cybersecurity? Do you think it can help to reduce the number of breaches we are hearing about on the news? Let us know in the comments.
